MyGRDC Application Vulnerability and Penetration Testing

⁠⁠⁠Background

GRDC is seeking proposals from qualified cybersecurity service providers to conduct end-to-end vulnerability and penetration testing for soon to be launched web enabled portal MyGRDC. The objective of this testing is to identify potential security weaknesses and vulnerabilities related to application design and code that could be exploited by malicious actors.

Scope

The scope of this project includes the following key components:

Grey Box Testing: The selected provider will perform grey box penetration testing, where they will be provided with limited information about the application, such as architecture documentation, user roles, and access levels, simulating an insider’s perspective while also testing like an external attacker.

Target Application: The testing will focus exclusively on the MyGRDC application which is a personalised web enabled search portal and its complimentary mobile applications for both iOS and Android platforms.

Testing Phases

A) Information Gathering: Utilising provided documentation and additional reconnaissance to understand the application’s architecture, user roles, and potential entry points.

B) Static Analysis: Reviewing the application’s codebase and as-built components to identify potential vulnerabilities such as insecure coding practices, improper input validation, and code flaws.

C) Dynamic Analysis: Testing the application in its operational environment to identify runtime vulnerabilities, including injection flaws, cross-site scripting (XSS), and session management issues. This should also include exposed backend API, Security misconfiguration and access control mechanics and enforcement

D) Exploitation: Attempting to exploit identified vulnerabilities to demonstrate the impact and potential risks associated with each vulnerability.  

E) Reporting: Providing a detailed report of findings, including vulnerabilities identified, evidence of exploitation, risk assessment, and recommended remediation steps. Ideally this should be in the format of issue mapping against OWASP Application Security Verification Standard (ASVS).

F) Alignment: Evaluation and assessment against broader cybersecurity and compliance frameworks such as the ASD Essential Eight guidelines.

Requirements for Service Providers

To be considered for this project, service providers must meet the following requirements:

Experience: Proven experience in conducting vulnerability and penetration testing specifically for web or mobile applications, with a focus on application design and code vulnerabilities.

Certifications: At least one of the following certifications for team members conducting the testing: Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), or equivalent.

Methodology: A clear methodology based on industry standards (e.g., OWASP Application Security Verification Standard for conducting application security assessments.

Tools and Techniques: Proficiency in the use of both commercial and open-source tools for static and dynamic analysis, as well as vulnerability scanning and exploitation.

Reporting Standards: Ability to provide comprehensive reports that are clear, actionable, and tailored to both technical and non-technical audiences.

Expected Outcome

A comprehensive completion of Grey Box Application testing for the MyGRDC end-to-end system build and functionality. Report will include a presentation to key business stakeholders.

Deliverables

The following deliverables are expected from the service provider:

A detailed testing plan outlining the approach, tools, and techniques to be used.

Preliminary findings report upon completion of the testing phase.

A final comprehensive report including:  

Executive summary and presentation   

Detailed findings and evidence, categorised by severity   

Risk ratings for each identified vulnerability   

Remediation recommendations, including secure coding practices and design improvements  

Suggested follow-up actions and retesting if necessary 

Estimated start date: Wednesday, 07 May 2025

Initial contract duration: 3 weeks

Extension term: Not applicable

Location of work: ACT

Working arrangements: Hybrid